Detection rules › Sublime MQL
Link: Credential phishing traversing Russian infrastructure
This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and any(headers.domains, .tld in ("ru", "su"))
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and 0 < length(body.links) < 5
and any(body.links,
beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
or (
strings.icontains(beta.linkanalysis(., mode="aggressive").final_dom.raw,
"Pàsswórd"
)
and (
beta.linkanalysis(., mode="aggressive").credphish.contains_login
or beta.linkanalysis(.).credphish.contains_captcha
)
)
or beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.
- inbound message
any of
headers.domainswhere:- .tld in ('ru', 'su')
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence in ('medium', 'high')
all of:
- length(body.links) > 0
- length(body.links) < 5
any of
body.linkswhere any holds:- beta.linkanalysis(.).credphish.disposition is 'phishing'
all of:
- beta.linkanalysis(., mode='aggressive').final_dom.raw contains 'Pàsswórd'
any of:
- beta.linkanalysis(.).credphish.contains_login
- beta.linkanalysis(.).credphish.contains_captcha
- beta.linkanalysis(.).effective_url.domain.tld in $suspicious_tlds
any of:
not:
- profile.by_sender().solicited
- profile.by_sender().any_messages_malicious_or_spam
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
any of
distinct(headers.hops)where:- .authentication_results.dmarc matches '*fail'
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, body.links, headers.domains, headers.domains[].tld, headers.hops, headers.hops[].authentication_results.dmarc, sender.email.domain.root_domain, type.inbound. Sensors: beta.linkanalysis, ml.nlu_classifier, profile.by_sender, strings.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains, $suspicious_tlds.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
headers.domains[].tld | member | ru |
headers.domains[].tld | member | su |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
strings.icontains | substring | Pàsswórd |
strings.ilike | substring | *fail |